While organizations have increasingly embraced cloud computing as a solution to their data management and other needs, they do so in an environment of heightened risks. Attacks on cloud providers are increasing, which makes it ever more important to ensure that the rewards outweigh the risks, including from a compliance perspective.
Chris Ford, Vice President Product, Threat Stack, advises organizations look to cloud service providers that have taken the step of becoming certified against standards such as ISO 27001 or SOC 2. He also recommends not stopping there and looking to certifications that align with specific risk areas such as IPAA, GDPR, CCPA or PCI.
That’s still not enough, though, he cautions in this podcast. Meet with the security team to discuss the organization’s practices and how it manages third party vendor risk. If their practices aren’t secure or the team is unwilling to meet with you that should be a very large red flag. So, too, is the approach to compliance: stay away from vendors who take a check-the-box approach.
Other pieces of advice he offers:
- Ask if they scan code in the build pipeline
- Determine if they do runtime monitoring of the infrastructure
- Find out what tools they use to ensure your date is secure
- Make sure they are constantly scanning for vulnerabilities
Finally, security is a “team sport” he notes. It’s important to maintain trust on an ongoing basis and look at this as a journey together. Be sure to learn from the failures of others, and, of course, make sure that you are just as vigilant of your internal IT security as you are of your vendor’s.